Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM: fix security update for indirect and direct dependencies #10371

Merged
merged 6 commits into from
Aug 7, 2024
Merged

NPM: fix security update for indirect and direct dependencies #10371

merged 6 commits into from
Aug 7, 2024

Conversation

jakecoffman
Copy link
Member

@jakecoffman jakecoffman commented Aug 5, 2024
edited
Loading

What are you trying to accomplish?

When a security update is run and the project has the vulnerability as both a direct dependency, and indirect dependency of other top-level dependencies, Dependabot only fixes the top-level dependency.

By using the audit's abilities during the lowest_security_fix_version check we can return nil to force a full unlock.

Also made a slight modification to return audit results more often when doing a security update.

Anything you want to highlight for special attention from reviewers?

How will you know you've accomplished your goal?

I have a real-world test here: https://github.com/dsp-testing/npm-multiple-top-level-ancestors

The PR created should remove all instances of the vulnerable lodash.

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@jakecoffman jakecoffman marked this pull request as ready for review August 6, 2024 20:55
@jakecoffman jakecoffman requested a review from a team as a code owner August 6, 2024 20:55
@jakecoffman
Copy link
Member Author

Verified it bumps the top-level and the parent of a transient dependency: dsp-testing/npm-multiple-top-level-ancestors#1

@jakecoffman jakecoffman merged commit 4aac28c into main Aug 7, 2024
65 checks passed
@jakecoffman jakecoffman deleted the npm-vulnerable-indirect-and-direct branch August 7, 2024 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abdulapopoola abdulapopoola abdulapopoola approved these changes

Assignees
No one assigned
Labels
L: javascript
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jakecoffman @abdulapopoola